Dear TLS list, Sitting in Santa Barbara I have just learned that our nonce randomization does slightly better then GCM in the multiuser setting. However, XGCM would produce even better security.
XGCM is GCM with masking applied to blocks before and after each encryption. It can be implemented on top counter mode and GHASH easily. As an alternative we could use 256 bit keys. Sincerely, Watson Ladd
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
